The Anatomy of a Cyber Attack : Why Your Small Business Needs XDR

As they become digitally enabled, small businesses are increasingly coming under attack by cyber criminals. This requires a greater awareness amongst small businesses of the risk, so that they can implement appropriate measures to protect themselves. Doing this requires an understanding of the anatomy of a cyber attack, to be able to understand the measures that need to be taken to protect against attack.

The Rising Threat Landscape for Small Businesses

The risk presented by cyber threats is a phenomenon which the owners of small businesses have not had to deal with as a major challenge in the past. This is due to the fact that smaller businesses have in many cases only recently begun to digitize their operations. The Covid-19 pandemic was potentially the biggest driver of digital transformation as staff were required to work remotely and businesses used technology as a means to engage customers without physical contact.

Despite the rapid adoption of technology, small businesses often underestimate the importance of cybersecurity and are still prone to a belief that they won’t fall victim to data breaches.

According to Verizon’s Data Breach Investigations Report, 61% of SMBs were the target of a cyber attack during 2021 and 2022. Accenture’s Cybercrime Study indicated that nearly 43% of cyber attacks are on small businesses, and only 14% of small businesses are prepared to face a cyber attack. According to the University of Maryland, 60% of small businesses impacted by a cyber attack go out of business within 6 months. These statistics unfortunately paint a very sobering picture of the need for small businesses to firstly understand the risks they are facing, and secondly take appropriate steps to mitigate them.

Understanding the Phases of a Cyber Attack

Cyber attackers usually conduct their activities in phases. A lot of research has been done into documenting how they conduct attacks and to build frameworks which describe the tactics, techniques and procedures (TTPs) which cyber attackers follow. By far the most rigorous and widely used framework is MITRE ATT&CK, which has become the gold standard for understanding the TTPs followed by attackers.

While a detailed discussion of MITRE ATT&CK is beyond the scope of this post, it is worth discussing some of the key tactics described by MITRE:

• Reconnaissance: This is the initial stage of most attacks, where the attacker attempts to gather information about the target and potential routes into the target’s infrastructure. Commonly used techniques include phishing where attackers usually use emails to lure unsuspecting users to divulge sensitive information, such as by entering passwords into fake sites. Another technique is to use social engineering to trick unsuspecting staff by faking communication from a trusted party, like a manager or a supplier to induce the victim to divulge information or do something like install malware, giving the attacker a path in. Social engineering is often combined with phishing.
• Initial Access: Once reconnaissance has revealed a path in, the attacker will use this “entry vector” to gain an initial foothold in the victim’s network. This could be via malware that is installed in a phishing attack, or by exploiting a vulnerability in an externally visible device, such as a firewall.
• Lateral Movement: The attacker, once inside, will often try to access other systems or applications in an attempt to find valuable data. This kind of activity leaves tracks, such as records of logins or access to systems. At first glance these “tracks” may not seem suspicious, but when combined with other activities, such as the initial access, they start to tell a story.
• Exfiltration: Once a cyber criminal has found valuable data the next step is usually to exfiltrate it so that it can be used for gain or against the victim, often to extort a ransom in the case of ransomware, or to commit other cybercrimes where sensitive data like credit card numbers are stolen. The network activity required to exfiltrate data, and connections to known Command and Control (or “C2”) can provide evidence of this activity.
• Impact: As the name suggests, this can often be the most immediately devastating technique used by an attacker, usually to either damage or disable a resource. This could involve encrypting data (to extract a ransom) or purely disabling a system to disrupt the victim’s business.

This summary only provides a glimpse into some of the TTPs used by attackers. A full description can be found on the MITRE ATT&CK website.

The Limitations of Traditional Security Measures

The phased nature of many cyber attacks demonstrates the complexity of these attacks, and the way in which they can touch multiple components of a business’s IT systems. This is unfortunately where many traditional security measures begin to show limitations. Firewalls, for example, focus on activity in the network domain, as protecting access to the network is their task. In the same vein, tools which protect endpoint computers, such as antivirus software or more modern endpoint detection and response (EDR) systems focus on the endpoint. While these tools do the job of securing their own domain well, they can’t reflect the bigger picture of activity across multiple domains.

The proliferation of discrete security tools leaves IT staff dealing with separate streams of alerts in different systems. Not only can the volume of alerts become overwhelming but it is almost impossible to correlate alerts between different tools, meaning that some attacks can go undetected.

Large enterprises have addressed this problem by building complex security tooling stacks to analyze security information from their entire infrastructure. They have built solutions based on Security Information and Event Management (SIEM) systems, integrated to threat intelligence feeds. These systems usually require ongoing tuning by highly trained security analysts. The expense involved in this kind of approach is way beyond the budgets of small businesses.

Introducing XDR

The complexity and cost of threat detection solutions is a problem that has dogged the cybersecurity industry until XDR emerged on the scene. Instead of being a product that businesses install on their own hardware, XDR has evolved as Software as a Service (SaaS), an application which is provided from the cloud to provide real-time threat detection and response as a single turnkey solution which is also cost effective. This approach addresses the needs of businesses that have diverse security tools protecting their networks, endpoints and cloud applications and who have the need for a tool that brings security alerting and threat detection and response into a single pane of glass. Being a SaaS application, businesses do not need a specialist team to maintain their threat detection tooling - the provider of the XDR application does that for them. Furthermore, the intuitive interface provided by XDR makes it accessible to most IT staff, not just security specialists. This puts XDR firmly within the reach of smaller businesses who do not have dedicated security staff.

Implementing XDR in small businesses

XDR isn’t only conceptually simple. It is also easy to implement. Getting started involves as little as configuring firewalls, endpoint detection and response applications and cloud applications to send their logs or “telemetry” to the XDR application. From there, XDR starts detecting threats, providing a single prioritized view of alerts. By doing this, XDR brings all of the critical information needed to manage complex threats which might impact multiple technology areas into a single location where alerts can easily be managed and investigated, and responses initiated.

Samurai XDR provides an intuitive interface which allows small businesses to start leveraging state of the art threat detection after just a few clicks of a mouse using its secure syslog and cloud collectors to ingest telemetry from across your IT estate. This gives you visibility across your entire environment without being overwhelmed by floods of alerts from different tools. To find out more, sign up for our free 30 day trial.